vpn-manager: Add l2tp/ipsec vpn manager

ipsec_manager.cc

+// Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "vpn-manager/ipsec_manager.h"
+
+#include <grp.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#include <string>
+#include <vector>
+
+#include "base/file_util.h"
+#include "base/logging.h"
+#include "base/string_util.h"
+#include "chromeos/process.h"
+#include "gflags/gflags.h"
+
+#pragma GCC diagnostic ignored "-Wstrict-aliasing"
+DEFINE_string(leftprotoport, "17/1701", "client protocol/port");
+DEFINE_string(rightprotoport, "17/1701", "server protocol/port");
+DEFINE_string(local, "", "local IP address (needed for PSK)");
+DEFINE_bool(pfs, false, "pfs");
+DEFINE_bool(rekey, false, "rekey");
+#pragma GCC diagnostic error "-Wstrict-aliasing"
+
+const char kStarterPidFile[] = "/var/run/starter.pid";
+const char kIpsecConnectionName[] = "ipsec_managed";
+const char kIpsecUpFile[] = "/tmp/ipsec-up";
+const char kIpsecGroupName[] = "ipsec";
+const char kStatefulContainer[] = "/mnt/stateful_partition/etc";
+
+// Give IPsec layer 2 seconds to shut down before killing it.
+const int kTermTimeout = 2;
+
+using ::chromeos::Process;
+using ::chromeos::ProcessImpl;
+
+IpsecManager::IpsecManager()
+    : ServiceManager("ipsec"), output_fd_(-1), ike_version_(0),

[petkov, 2011/03/04 18:42:56]

shouldn't the initializer be on separate lines?

[kmixter1, 2011/03/05 02:48:59]

Oops, you're right. Done.

+      ipsec_group_(0), stateful_container_(kStatefulContainer),
+      starter_pid_file_(kStarterPidFile), starter_(new ProcessImpl) {
+}
+
+bool IpsecManager::Initialize(int ike_version,
+                              const std::string& remote,
+                              const std::string& psk_file,
+                              const std::string& server_ca_file,
+                              const std::string& client_key_file,
+                              const std::string& client_cert_file) {
+  if (remote.empty()) {
+    LOG(ERROR) << "Missing remote to IPsec layer";
+    return false;
+  }
+  remote_ = remote;
+
+  if (psk_file.empty() && server_ca_file.empty() && client_key_file.empty() &&

[petkov, 2011/03/04 18:42:56]

move this check under if psk_file.empty() block (just like you've done for the
else case)

[kmixter1, 2011/03/05 02:48:59]

Done.

+      client_cert_file.empty()) {
+    LOG(ERROR) << "Must specify either PSK or certificates for IPsec layer";
+    return false;
+  }
+
+  if (psk_file.empty()) {
+    // Must be a certificate based connection.
+    if (!file_util::PathExists(FilePath(server_ca_file))) {

[petkov, 2011/03/04 18:42:56]

server_ca_file could be empty here. maybe you want to change/split the
PSK/certificates check above?

[kmixter1, 2011/03/05 02:48:59]

If everything's empty, user will get a message that one needs to be set.  If any
one of the cert-path files is set, then the empty ones will be indicated by
saying the file '' isn't valid.  Seems ok.

+      LOG(ERROR) << "Invalid server CA file for IPsec layer: "
+                 << server_ca_file;
+      return false;
+    }
+    server_ca_file_ = server_ca_file;
+
+    if (!file_util::PathExists(FilePath(client_key_file))) {
+      LOG(ERROR) << "Invalid client key file for IPsec layer: "
+                 << client_key_file;
+      return false;
+    }
+    client_key_file_ = client_key_file;
+
+    if (!file_util::PathExists(FilePath(client_cert_file))) {
+      LOG(ERROR) << "Invalid client certificate file for IPsec layer: "
+                 << client_key_file;
+      return false;
+    }
+    client_cert_file_ = client_cert_file;
+  } else {
+    if (!server_ca_file.empty() ||
+        !client_key_file.empty() ||
+        !client_cert_file.empty()) {
+      LOG(ERROR) << "Specified both PSK and certificates for IPsec layer";
+      return false;
+    }
+    if (!file_util::PathExists(FilePath(psk_file))) {
+      LOG(ERROR) << "Invalid PSK file for IPsec layer: " << psk_file;
+      return false;
+    }
+    psk_file_ = psk_file;
+  }
+
+  if (ike_version != 1 && ike_version != 2) {
+    LOG(ERROR) << "Unsupported IKE version" << ike_version;
+    return false;
+  }
+  ike_version_ = ike_version;
+
+  file_util::Delete(FilePath(kIpsecUpFile), false);
+
+  return true;
+}
+
+bool IpsecManager::FormatPsk(const FilePath& input_file,
+                             std::string* formatted) {
+  std::string psk;
+  if (!file_util::ReadFileToString(input_file, &psk)) {
+    LOG(ERROR) << "Unable to read PSK from " << input_file.value();
+    return false;
+  }
+  if (FLAGS_local.empty()) {
+    LOG(ERROR) << "Local IP address must be supplied for PSK mode";
+    return false;
+  }
+  //TODO: use trim function

[petkov, 2011/03/04 18:42:56]

// TODO(kmixter) or fix the todo

[kmixter1, 2011/03/05 02:48:59]

Done.

+  if (psk[psk.size() - 1] == '\n')
+    psk.erase(psk.size() - 1, 1);
+  // TODO(kmixter): Support PSKs with arbitrary characters.
+  *formatted =
+      StringPrintf("%s %s : PSK \"%s\"\n", FLAGS_local.c_str(),
+                   remote_.c_str(), psk.c_str());
+  return true;
+}
+
+void IpsecManager::KillCurrentlyRunning() {
+  if (!file_util::PathExists(FilePath(starter_pid_file_)))
+    return;
+  starter_->ResetPidByFile(starter_pid_file_);
+  if (Process::ProcessExists(starter_->pid()))

[petkov, 2011/03/04 18:42:56]

you don't just starter_->Reset(0) to avoid ERROR logs from Process::Kill?

[kmixter1, 2011/03/05 02:48:59]

Yes. And those ERROR logs are useful since they indicate something has died
without being anticipated/noticed.

+    starter_->Reset(0);
+  else
+    starter_->Release();
+  file_util::Delete(FilePath(starter_pid_file_), false);
+}
+
+bool IpsecManager::StartStarter() {
+  KillCurrentlyRunning();
+  LOG(INFO) << "Starting starter";
+  pid_t my_pid = getpid();
+  setenv("IPSEC_MANAGER_PID", StringPrintf("%d", my_pid).c_str(), 1);
+  starter_->AddArg(IPSEC_STARTER);

[petkov, 2011/03/04 18:42:56]

where IPSEC_STARTER declared?

[kmixter1, 2011/03/05 02:48:59]

Makefile

+  starter_->AddArg("--nofork");
+  starter_->RedirectUsingPipe(STDERR_FILENO, false);
+  if (!starter_->Start()) {
+    LOG(ERROR) << "Starter did not start successfully";
+    return false;
+  }
+  output_fd_ = starter_->GetPipe(STDERR_FILENO);
+  LOG(INFO) << "Starter started as pid " << starter_->pid();
+  return true;
+}
+
+inline void AppendBoolSetting(std::string* config, const char* key,
+                              bool value) {
+  config->append(StringPrintf("\t%s=%s\n", key, value ? "yes" : "no"));
+}
+
+inline void AppendStringSetting(std::string* config, const char* key,
+                                const std::string& value) {
+  config->append(StringPrintf("\t%s=%s\n", key, value.c_str()));
+}
+
+inline void AppendIntSetting(std::string* config, const char* key,
+                             int value) {
+  config->append(StringPrintf("\t%s=%d\n", key, value));
+}
+
+std::string IpsecManager::FormatStarterConfigFile() {
+  std::string config;
+  config.append("config setup\n");
+  if (ike_version_ == 1) {
+    AppendBoolSetting(&config, "charonstart", false);
+  } else {
+    AppendBoolSetting(&config, "plutostart", false);
+  }
+  config.append("conn managed\n");
+  AppendStringSetting(&config, "keyexchange",
+                      ike_version_ == 1 ? "ikev1" : "ikev2");
+  if (!psk_file_.empty()) AppendStringSetting(&config, "authby", "psk");
+  AppendBoolSetting(&config, "pfs", FLAGS_pfs);
+  AppendBoolSetting(&config, "rekey", FLAGS_rekey);
+  AppendStringSetting(&config, "left", "%defaultroute");
+  AppendStringSetting(&config, "leftprotoport", FLAGS_leftprotoport);
+  AppendStringSetting(&config, "leftupdown", IPSEC_UPDOWN);
+  AppendStringSetting(&config, "right", remote_);
+  AppendStringSetting(&config, "rightprotoport", FLAGS_rightprotoport);
+  AppendStringSetting(&config, "auto", "start");
+  return config;
+}
+
+bool IpsecManager::SetIpsecGroup(const FilePath& file_path) {
+  DLOG(INFO) << "Setting " << file_path.value() << " to gid " << ipsec_group_;
+  return chown(file_path.value().c_str(), getuid(), ipsec_group_) == 0;
+}
+
+bool IpsecManager::WriteConfigFiles() {
+  // We need to keep secrets in /mnt/stateful_partition/etc for now
+  // because pluto loses permissions to /home/chronos before it tries
+  // reading secrets.  TODO: write this via a fifo.
+  FilePath secrets_path_ = FilePath(stateful_container_).
+      Append("ipsec.secrets");
+  file_util::Delete(secrets_path_, false);
+  if (!psk_file_.empty()) {
+    std::string formatted;
+    if (!FormatPsk(FilePath(psk_file_), &formatted)) {
+      LOG(ERROR) << "Unable to create secrets contents";
+      return false;
+    }
+    if (!file_util::WriteFile(secrets_path_, formatted.c_str(),
+                              formatted.length()) ||
+        !SetIpsecGroup(secrets_path_)) {
+      LOG(ERROR) << "Unable to write secrets file " << secrets_path_.value();
+      return false;
+    }
+  } else {
+    LOG(FATAL) << "Certificate mode not yet implemented";
+  }
+  FilePath starter_config_path = temp_path_.Append("ipsec.conf");
+  std::string starter_config = FormatStarterConfigFile();
+  if (!file_util::WriteFile(starter_config_path, starter_config.c_str(),
+                            starter_config.size()) ||
+      !SetIpsecGroup(starter_config_path)) {
+    LOG(ERROR) << "Unable to write ipsec config files";
+    return false;
+  }
+  FilePath config_symlink_path = FilePath(stateful_container_).
+      Append("ipsec.conf");
+  file_util::Delete(config_symlink_path, false);
+  if (symlink(starter_config_path.value().c_str(),
+              config_symlink_path.value().c_str()) < 0) {
+    LOG(ERROR) << "Unable to symlink config file";
+    return false;
+  }
+  return true;
+}
+
+bool IpsecManager::Start() {
+  if (!ipsec_group_) {
+    struct group group_buffer;
+    struct group* group_result = NULL;
+    char buffer[256];
+    if (getgrnam_r(kIpsecGroupName, &group_buffer, buffer,
+                   sizeof(buffer), &group_result) != 0 || !group_result) {
+      LOG(ERROR) << "Cannot find group id for " << kIpsecGroupName;
+      return false;
+    }
+    ipsec_group_ = group_result->gr_gid;
+    LOG(INFO) << "Using ipsec group " << ipsec_group_;
+  }
+  if (!WriteConfigFiles())
+    return false;
+  if (!StartStarter())
+    return false;
+
+  return true;
+}
+
+int IpsecManager::Poll() {
+  if (is_running()) return -1;
+  // TODO: run whack/stroke --rereadsecrets instead and use

[petkov, 2011/03/04 18:42:56]

TODO(kmixter)

[kmixter1, 2011/03/05 02:48:59]

Done.

+  // a null up/down script.
+  if (!file_util::PathExists(FilePath(kIpsecUpFile)))
+    return 1000;
+
+  // This indicates that the connection came up successfully.
+  LOG(INFO) << "IPsec connection now up";
+  OnStarted();
+  return -1;
+}
+
+void IpsecManager::HandleChild(pid_t pid, int signal) {
+  if (pid != starter_->pid())
+    return;
+
+  LOG(INFO) << "IPsec layer stopped";
+  OnStopped(true);
+}
+
+void IpsecManager::Stop() {
+  if (starter_->pid() == 0) {
+    return;
+  }
+
+  if (!starter_->Kill(SIGTERM, kTermTimeout)) {

[petkov, 2011/03/04 18:42:56]

this SIGTERM->SIGKILL sequence seems like a good utility for Process

[kmixter1, 2011/03/05 02:48:59]

I agree, but it's complicated.  If the process is a child process, then this
sequence makes sense. If it's not, then the Kill will always succeed but the
process will not necessarily die (because it's impossible to tell with certainty
in POSIX unless the parent/child relationship exists).

+    starter_->Kill(SIGKILL, 0);
+    OnStopped(true);
+    return;
+  }
+  OnStopped(false);
+}